Details
-
New Feature
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Default sslMode to verify-full in 3.6, instead of plaintext. Connector/C 3.4 already made this change.
Why now
Until now, secure-by-default was impractical because of the setup work: CA
management, keys, trust stores. Zero-configuration TLS in Server 11.4+ removes
all of that. The server generates its own certificate, and the client verifies
it via fingerprint + the account password as a shared secret, no CA needed.
Connector/J 3.4+ already supports this, so against an 11.4+ server it just works.
The feature has been out since 11.4 LTS (2024) and is now in two LTS lines, so
it is mature enough to rely on by default.
Performance
TLS is not free: there is a handshake cost on connect and some per-query
overhead from encryption. For most workloads this is small, especially with
connection pooling where the handshake is amortized. We consider the security
gain to clearly outweigh it, an unencrypted default is no longer acceptable
when the server is already secure by default. Users who truly need raw speed can
still opt out with sslMode=disabled.
Compatibility
This breaks connections that can't use zero-conf validation:
- MySQL, Percona, MariaDB < 11.4 (no zero-conf),
- empty-password accounts (the password is the shared secret),
- PAM / gssapi auth
but this is easy opt-out via setting sslMode=disabled explicitly